Add User to Role in Authorization after initial sign up

Hello, I would like to use the Authorization module to be the source of truth for our users and roles mapping. I would like to implement the sign up flow so that after the user signs up, they are automatically added to one of the existing Groups already defined.

I would like to do this logic in a Rule. It can check to see if the (new) User is already in one or more Roles, if not then the Rule can use the API to add the User to a Role.

I basically want to use the "API" as referenced in the #1 answer in this question, but I can't find what API to use inside a Rule. Are you able to point out the API or an example Rule? I see Rules that modify the user or app metadata, and also Rules that modify the payload of the id or access tokens being returned.

I want to do this as I already have Rules that will get the Roles and permissions based on the Roles the User is in and return the list of Permissions.

2 Replies

Hey @mholtzman I believe we do what you're trying to do, but let me list it to see if you agree:

When user logs in successfully the first time, store date/time in app_metadata so that subsequent rules can use this info. Note: we don't assign a role (in our case) when user signs up, but only after successful log in

Load Auth0 authorization extension (built in rule from Auth0)

Custom rule: if user does not have role, call auth-ext (via REST) to assign default role

3 and 4 could be a single rule but I like to keep each rule limited to a single responsibility so to speak. Just a style choice.

Yes, "firstLoginDateTime" (which again, is not when they signed up, but when they first log in successfully) is used to determine which account is the "link-er" and which is the "link-ee" when we (potentially) link accounts (i.e. same email). For social accounts (e.g. Google) then 'signup' and 'first login' are the same thing. For a db connection 'email account', we treat these accounts differently before/after they verify their email address.

I think I just about have this working, but I am getting an error making the PATCH call to add the Role to the User. I am getting an HTTP 403, insufficient scope.

I noticed when I enabled the authorization extension API, the API that was automatically created did not include a scope for update:users which is required for that API call. The only users scope it automatically created was read:users. I manually created a scope for update:users and assigned it to the non-interactive Client, still doesnt work.

The API the answer in question is mentioning is the Authorization Extension API; you can enable it after installing the extension and once enabled the API is listed in the APIs section which would mean you can authorize client applications to call it.

Have in mind that the answer talks about two alternatives for a scenario related to initialize roles based on an external source and ideally the first option of using the API from a tool/migration script should be the one used as calling it from a rule will have some additional complexity.

OK, thanks for the info on enabling that API. In my use case, all information will reside within the Auth0 ecosystem. This includes users, roles, scopes, and permissions. It doesn't logically make sense to have to make an API call to my system during sign up that would then just immediately make an API call back to Auth0 to make the Role assignment.

That is why I would like all the logic in a Rule. Why do you say there is extra complexity involved with calling the API from a Rule? I understand in the question I linked to they are using an external data source for Roles mapping.

Your answer

Hint: You can notify a user about this post by typing @username

Attachments: Up to 5 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.